Taking Supply Chain Risk Management Seriously

Stephen DeAngelis

April 16, 2015

A survey conducted by BSI and the Business Continuity Institute (BCI) found that over a “third (35 percent) of businesses in the manufacturing industry are extremely concerned about potential supply chain disruption.” The survey also revealed why manufacturers are increasingly concerned about disruptions — growing supply chain complexity. “More than three quarters of manufacturing firms (77 percent) report increasing supply chain complexity as the fastest growing risk in business continuity, with malicious attacks via the internet (68 percent) and increased regulatory scrutiny (58 percent) taking second and third place.” [“Supply Chain Disruption Tops Manufacturers’ Concerns, BSI Finds,” Apparel, 16 March 2015] Commenting on these results (and the impact of the recent slowdown at West Coast ports), Edith Simchi-Levi, Vice President of Operations at OPS Rules Management Consultants, writes, “Comprehensive supply chain risk management can help an organization to understand its position better, take preventive measures, and respond quickly to minimize the potential impact from an event such as this.” [“Think Differently About Supply Chain Risk,” OPS Rules Blog, 23 March 2015]

As Simchi-Levi is well aware, implementing a comprehensive supply chain risk management process is easier said than done. She doesn’t just leave companies hanging without help, however; she explains what a comprehensive risk management process must include. She explains:

“Key elements of a comprehensive supply chain risk management strategy include:

  • Know the impact of long lead times and design decisions on operational flexibility
  • Position inventory along the supply chain for low cost, high flexibility, and low risk
  • Understand the risk exposure in the supply chain as a dollar impact to your bottom line
  • Ability to monitor critical supplier performance

The first two elements require understanding of supply chain design and inventory positioning through end to end optimization. The strategic planning involved in these processes can help with long term planning and mitigation of ongoing risks. The third element is a new approach to risk management that was introduced in 2013 by David Simchi-Levi as the Risk Exposure Index (REI) for quantifying supply chain risk.”

As I understand those key elements, there are two common threads running through them — big data analytics and improved supply chain visibility. Combined those threads help weave a better picture of what the end-to-end supply chain looks like. Once the picture is clear, identifying vulnerabilities, bottlenecks, and opportunities becomes much easier. As Simchi-Levi notes, her husband Dr. David Simchi-Levi, a professor at MIT and founder of OPS Rules, introduced the Risk Exposure Index a couple of years ago. Simchi-Levi’s REI methodology helps companies calculate the financial impact of supply chain disruptions as well as the estimated time to recovery (TTR). [“Risk Exposure Index Starting to Gain Traction, Change Supply Chain Thinking, David Simchi-Levi Says,” Supply Chain Digest, 24 April 2013] Simchi-Levi told Supply Chain Digest editor-in-chief Dan Gilmore that “the effort to collect information on TTR across the supply chain changes a company’s approach to risk management. First, such companies realize they don’t have this data, and when they do collect the information there are usually some surprises. Second, the approach then often spurs companies to find ways to reduce TTR, and thus the financial impact.”

As I’ve noted before, no company can make itself immune to risks and supply chain disruptions. There are simply too many confounding variables that lie outside of a company’s control. Carrie Mantey adds, “While those bad things aren’t necessarily or directly an organization’s fault (geopolitical turmoil, natural disaster, etc.), they can be due to risk factors that perhaps were never considered or could be minimized. Companies are saying that so many problems happened over the last few years that they’re ‘outside the bounds of that notion of where their risks are,’ so now they are getting into the habit of keeping tabs on all of their third parties — vendors, suppliers, affiliates, resellers, distributors, outsourcers, and the list goes on.” [“Minimizing the Bad Things that Can Happen to a Good Company,” Supply & Demand Chain Executive, 20 March 2015] That’s exactly why the Simchi-Levis insist that companies must get to know their end-to-end supply chains better. Or as Mantey puts it, “First and foremost, organizations must understand that they can’t fix anything that they don’t know is broken.”

I’ve always insisted that good solutions start by asking good questions. Mantey apparently agrees with that approach. She proposes a few questions that companies can ask in just one area of supply chain risk — third party stakeholders:

  • Who are my third parties?
  • What are they doing for me?
  • What level of risk can they subject my organization to?
  • Who in the organization is interfacing with them?
  • Are they given access to customer data? (If so, it is the company’s reputation that suffers most if a data breach occurs.)
  • Are they following a corporate sustainability index, supplier policy, and your code of conduct or way of doing business?
  • What types of due diligence, controls, audits and/or inspections were instituted?
  • Were the principals of the third party vetted?
  • Are they on any anti-business sanction lists published by the U.S. government?
  • Are they subjecting the organization to bribery or corruption risks? Are they based in a location known for high amounts of cybercrime or bribery?

You can imagine the list of questions that needs to be generated when you start considering all of the factors that affect supply chain risk management. To help companies identify as many of the risks as possible to their supply chains, BSI offers ten tips for business continuity planning. They are:

1. Identify critical business functions – Once critical business functions have been identified, it is possible to apply a methodical approach to the threats that are posed to them and implement the most effective plans.

2. Remember the seven P’s needed to keep your business operational – Providers, performance, processes, people, premises, profile (your brand) and preparation.

3. Understand and track past incidents with suppliers – Obtain country-level intelligence so you understand what factors may cause a supply chain disruption, e.g., working conditions, natural disasters, and political unrest.

4. Assess and understand vulnerabilities and weak points – Conduct risk assessments to evaluate supplier capabilities to effectively adhere to your business continuity plans and requirements.

5. Agree and document your plans – These should never just be hidden away in the mind of the MD. Assess your critical suppliers to make sure their business continuity plans fit with your objectives and are defined within your contract.

6. Make sure plans are communicated to key staff and suppliers – Equally, share them with other key stakeholders to boost their confidence in your ability to maintain ‘business as usual.’ This is particularly important for small businesses or those working with suppliers/buyers for the first time.

7. Try your plans out in mock scenarios – If possible include suppliers in your exercises and remember to test them not only in scenarios where there may be a physical risk, such as poor weather conditions making premises inaccessible, but people risks such as supply chain challenges and boardroom departures.

8. Expect the unexpected – While lean and efficient supply chains make good economic sense, unexpected events can have a significant impact on the operations and reputation of businesses.

9. Make sure your continuity plans are nimble and can evolve quickly – If your plans look the same as they did 10 years ago, then they probably won’t meet current requirements. Organizations engaged in business continuity management will be actively learning from their internal audits, tests, management reviews and even from incidents themselves.

10. Make sure you’re not just ‘box-ticking’ – Plans which get the tick against the ‘to do’ list but don’t actually reflect the organization’s strategy and objectives can lack credibility and are unlikely to succeed in the long-term. Instead, make sure your plans allow you to get back up and running in a way that aligns with your organization’s objectives.

One of Enterra Solutions’® Board members, Benn Konsynski (@Konsynski), the George S. Craft Distinguished University Professor of Information Systems and Operations Management at Emory University’s Goizueta Business School, has some interesting insights to share about Tip #8 above — expect the unexpected. You can read about his insights in a previous article entitled “Preparing Businesses for the Unknown.” I’ve stressed before (and I’ll stress again) that supply chain risk management is a full-time activity. Unless you are engaged 24/7 in managing your supply chain’s risk, you are not taking it seriously enough.